PCI rules don't mention whitelisting as a technology, but some PCI auditors giving it the thumbs-up

The influential Payment Card Industry (PCI) rules call for use of antivirus software to protect debit and credit cards, but some retailers have found a substitute that's been accepted in place of it: whitelisting technology.

Application whitelisting works on a host computer to prevent unauthorized applications from running. The official PCI rules published by the PCI Security Standards Council don't include any mention of it, but some merchants and retailers are saying that their PCI-certified auditors are signing off on whitelisting as a substitute for antivirus software, which is giving them what they say is a needed A/V break.

"We started out with antivirus," says Bruce Snyder, manager of IT retail operations at Lacrosse, Wis.-based convenience store chain Kwik Trip, which has 436 locations. But on the store's point-of-sale (POS) systems in particular, running antivirus turned out to be hugely resource-intensive, enough so that it was even slowing down POS devices and impacting customer service.

Kwik Trip decided to try whitelisting technology -- its vendor is Bit9 -- as a substitute for antivirus since whitelisting should stop malware from executing. But as a sizeable "Level 1" retailer in the PCI-compliance world, Kwik Trip needed to have its PCI qualified security assessor (QSA), McGladrey, sign off on the change. The PCI auditor did, approving whitelisting as a substitute for antivirus. "They allowed us to do that, to replace A/V with whitelisting as a 'compensating control,'" Snyder says.

Today, Bit9 software is running only on Kwik Trip's POS terminals, but will be extended to store PCs by the end of next year, Snyder says. He adds that he hopes the PCI Council considers broadening the data-security rules to include whitelisting in the future.

Another large retailer and Bit9 customer, Louisville, Ky.-based Thorntons, had a similar experience related to PCI compliance in its convenience stores. And its PCI QSA, Trustwave, also gave the thumbs-up to whitelisting, says Jeffrey O'Gara, network administrator there. Traditional A/V was difficult to maintain with the updates, and more megabytes to run, than whitelisting, he says.

The PCI Security Standards Council did not provide anyone to discuss whitelisting, but a spokeswoman noted: "If another type of solution addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement."

Forrester analyst Chenxi Wang says it's not that common to hear about retailers subject to PCI rules using whitelisting as an approved substitute for A/V, but this phenomenon is occurring a lot outside the PCI-focused world.

Even though antivirus software is still widely used, there's increasing skepticism about the value of antivirus to prevent malware infections, Wang says. "If you ask them, 'do you use A/V today,' they say 'yes.' But if you ask them how effective it is, they all say A/V hasn't worked in a long time."

The downside of whitelisting has often been considered the difficulty in updating legitimate applications, but Wang says that this issue is fading as whitelisting products have gotten better. "It's not that much of a burden on the user experience," she says.